CVE-2026-3063
Published: 23 February 2026
Summary
CVE-2026-3063 is a medium-severity an unspecified weakness vulnerability in Google Chrome. Its CVSS base score is 5.4 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Extensions (T1176.001); ranked at the 8.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-3063 is an inappropriate implementation vulnerability in the DevTools component of Google Chrome prior to version 145.0.7632.116. It enables an attacker who convinces a user to install a malicious extension to inject scripts or HTML into a privileged page via DevTools. The issue affects Chromium-based browsers, with a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) and High severity as rated by Chromium security.
The attack requires an attacker to socially engineer a user into installing a malicious browser extension, which then exploits DevTools to perform script or HTML injection on privileged pages. Successful exploitation results in low-impact confidentiality and integrity violations, such as limited unauthorized data access or content modification, with no availability impact and requiring user interaction.
Mitigation is provided in the Google Chrome stable channel update to version 145.0.7632.116 or later, as announced in the Chrome Releases blog at https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_23.html. Additional technical details are documented in the Chromium issue tracker at https://issues.chromium.org/issues/485287859. Security practitioners should advise users to update promptly and exercise caution with extension installations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7471
Vulnerability details
Inappropriate implementation in DevTools in Google Chrome prior to 145.0.7632.116 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via DevTools. (Chromium security severity: High)
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability is directly triggered by a malicious browser extension (T1176.001) after user installation/execution of that extension (T1204.002), enabling unauthorized script/HTML injection into privileged DevTools pages.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly restricts or authorizes user-installed browser extensions that are required for exploitation.
Requires prompt application of the vendor patch that eliminates the DevTools injection flaw.
Enforces least privilege so a malicious extension cannot reach privileged pages even if installed.